2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed

General

Target

2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe
Size

72KB
MD5

1b870218cf2d6a0d33a7f52dbf5bcce1
SHA1

b3767e9b9f5f8c6911adf0d390cd567f0ad4efb4
SHA256

2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed
SHA512

d0b43096efbac642b90ef6ce6db0ed417d6bb39d91049935317cdf0b07823fb812bea41d4fc89b654e985df00adf0d412e6a4cdaccebbe0ac83726721054f084
SSDEEP

1536:mD7BoolMEe71MOUOY0n0hQoTM4xxRkq+dBO:mD+eMdBT7Yw0hQs3V+fO

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
960	takeown.exe
4548	icacls.exe
2256	icacls.exe
3868	icacls.exe
4408	takeown.exe
2608	takeown.exe
1508	takeown.exe
4576	icacls.exe
3488	takeown.exe
4892	takeown.exe
4836	icacls.exe
3096	takeown.exe
2520	takeown.exe
860	takeown.exe
2156	icacls.exe
344	icacls.exe
1824	icacls.exe
2760	takeown.exe
2956	takeown.exe
3720	icacls.exe
808	icacls.exe
3512	takeown.exe
676	icacls.exe
1264	icacls.exe
2296	takeown.exe
4656	icacls.exe
4440	takeown.exe
1468	takeown.exe
1248	icacls.exe
3508	takeown.exe
3584	icacls.exe
1724	takeown.exe
1080	icacls.exe
4556	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
1824	icacls.exe
1080	icacls.exe
1248	icacls.exe
3512	takeown.exe
3096	takeown.exe
2760	takeown.exe
2608	takeown.exe
2296	takeown.exe
808	icacls.exe
344	icacls.exe
4440	takeown.exe
3488	takeown.exe
676	icacls.exe
1264	icacls.exe
4556	icacls.exe
4656	icacls.exe
2956	takeown.exe
2256	icacls.exe
1508	takeown.exe
4836	icacls.exe
3584	icacls.exe
4576	icacls.exe
860	takeown.exe
4892	takeown.exe
2156	icacls.exe
4408	takeown.exe
960	takeown.exe
3508	takeown.exe
3868	icacls.exe
2520	takeown.exe
4548	icacls.exe
1724	takeown.exe
1468	takeown.exe
3720	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ctnt.exe	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe
File opened for modification	C:\Windows\SysWOW64\ctnt.exe	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2956	takeown.exe
Token: SeTakeOwnershipPrivilege	2760	takeown.exe
Token: SeTakeOwnershipPrivilege	1508	takeown.exe
Token: SeTakeOwnershipPrivilege	1724	takeown.exe
Token: SeTakeOwnershipPrivilege	4440	takeown.exe
Token: SeTakeOwnershipPrivilege	3488	takeown.exe
Token: SeTakeOwnershipPrivilege	2608	takeown.exe
Token: SeTakeOwnershipPrivilege	2296	takeown.exe
Token: SeTakeOwnershipPrivilege	3508	takeown.exe
Token: SeTakeOwnershipPrivilege	1468	takeown.exe
Token: SeTakeOwnershipPrivilege	4408	takeown.exe
Token: SeTakeOwnershipPrivilege	2520	takeown.exe
Token: SeTakeOwnershipPrivilege	860	takeown.exe
Token: SeTakeOwnershipPrivilege	4892	takeown.exe
Token: SeTakeOwnershipPrivilege	3512	takeown.exe
Token: SeTakeOwnershipPrivilege	960	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe

pid process

4472 2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe

pid	process
4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe

description	pid	process	target process
PID 4472 wrote to memory of 3096	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 3096	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 3096	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 344	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 344	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 344	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 2956	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2956	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2956	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1824	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1824	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1824	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 2760	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2760	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2760	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2256	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 2256	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 2256	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1508	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1508	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1508	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 4576	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 4576	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 4576	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1724	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1724	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1724	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1080	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1080	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1080	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 4440	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 4440	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 4440	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 676	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 676	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 676	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 3488	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 3488	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 3488	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1264	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1264	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1264	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 2608	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2608	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2608	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2156	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 2156	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 2156	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 2296	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2296	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 2296	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 4556	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 4556	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 4556	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 3508	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 3508	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 3508	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 3868	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 3868	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 3868	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe
PID 4472 wrote to memory of 1468	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1468	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 1468	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	takeown.exe
PID 4472 wrote to memory of 3720	4472	2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe
"C:\Users\Admin\AppData\Local\Temp\2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\ctnt.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3096

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\ctnt.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:344

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1824

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2256

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4576

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1080

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:676

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1264

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2156

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4556

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3868

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3720

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1248

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4656

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:808

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4836

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3584

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctnt.exe
Filesize
72KB

MD5
1b870218cf2d6a0d33a7f52dbf5bcce1

SHA1
b3767e9b9f5f8c6911adf0d390cd567f0ad4efb4

SHA256
2b6200b7809e8ee17d4294be04c6312d3ab8b542c639db8e6d88d7f9e2c536ed

SHA512
d0b43096efbac642b90ef6ce6db0ed417d6bb39d91049935317cdf0b07823fb812bea41d4fc89b654e985df00adf0d412e6a4cdaccebbe0ac83726721054f084

Download Submit
memory/344-136-0x0000000000000000-mapping.dmp

Download
memory/676-146-0x0000000000000000-mapping.dmp

Download
memory/808-162-0x0000000000000000-mapping.dmp

Download
memory/860-161-0x0000000000000000-mapping.dmp

Download
memory/960-167-0x0000000000000000-mapping.dmp

Download
memory/1080-144-0x0000000000000000-mapping.dmp

Download
memory/1248-158-0x0000000000000000-mapping.dmp

Download
memory/1264-148-0x0000000000000000-mapping.dmp

Download
memory/1468-155-0x0000000000000000-mapping.dmp

Download
memory/1508-141-0x0000000000000000-mapping.dmp

Download
memory/1724-143-0x0000000000000000-mapping.dmp

Download
memory/1824-138-0x0000000000000000-mapping.dmp

Download
memory/2156-150-0x0000000000000000-mapping.dmp

Download
memory/2256-140-0x0000000000000000-mapping.dmp

Download
memory/2296-151-0x0000000000000000-mapping.dmp

Download
memory/2520-159-0x0000000000000000-mapping.dmp

Download
memory/2608-149-0x0000000000000000-mapping.dmp

Download
memory/2760-139-0x0000000000000000-mapping.dmp

Download
memory/2956-137-0x0000000000000000-mapping.dmp

Download
memory/3096-134-0x0000000000000000-mapping.dmp

Download
memory/3488-147-0x0000000000000000-mapping.dmp

Download
memory/3508-153-0x0000000000000000-mapping.dmp

Download
memory/3512-165-0x0000000000000000-mapping.dmp

Download
memory/3584-166-0x0000000000000000-mapping.dmp

Download
memory/3720-156-0x0000000000000000-mapping.dmp

Download
memory/3868-154-0x0000000000000000-mapping.dmp

Download
memory/4408-157-0x0000000000000000-mapping.dmp

Download
memory/4440-145-0x0000000000000000-mapping.dmp

Download
memory/4548-168-0x0000000000000000-mapping.dmp

Download
memory/4556-152-0x0000000000000000-mapping.dmp

Download
memory/4576-142-0x0000000000000000-mapping.dmp

Download
memory/4656-160-0x0000000000000000-mapping.dmp

Download
memory/4836-164-0x0000000000000000-mapping.dmp

Download
memory/4892-163-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads